How to write a Risk, Issue and Opportunity Management Plan
Plan Risk Management Processes is step 1 in the risk, issue and opportunity (RIO) Management Process.
In basic terms, this is the step in the RIO management process where are going to think about how you will manage risk on your program and then document that in a written plan. This plan is called a Program Risk, Issue and Opportunity Management Plan (RIOMP).
The inputs to this plan typically include:
Program documents (Statement of Work, Contract Documents, WBS)
Customer Risk Management Requirements
Expert Insights
Your organizations risk management processes
The level of detail and complexity of the RIOMP depend on the following factors:
1. Existing organizational RIO processes.
Does your organization have established risk, issue and opportunity management processes? If it does, then your plan can be shorter and reference these processes.
2. Scope of the program and types of deliverables.
Service based, hardware, software, research and development etc..
3. Type of contract
Firm fixed price, Cost Plus Fixed Fee, Time and Material etc..
4. Dollar value of the contract
Do you have earned value management requirements?
5. Requirements of the contract
Is RIO management called out in the contract?
Are there any flow-downs or specific formats required?
For less complex and lower risk programs (more on how to determine that another time), the RIOMP can be a separate section in the program management plan as opposed to a stand-alone plan. Ok, ok, got it….need a plan to manage risk, issues and opportunities. But what actually goes into a RIOMP?
Below is a suggested outline for a RIOMP, as well as considerations for each section.
1. Introduction
Strategy and purpose of the risk management plan- hint: this should be to achieve technical performance, cost and schedule.
If there is anything unique about the strategy, highlight it here
2. Program Overview
Customer
Period of performance
Scope
Type of contract
3. Overall Risk Level of the Program
Low, medium or high
Include rationale for the level
4. Resources, Roles, and Responsibilities
Identify and define the roles/responsibilities of key stakeholders in RIO management
This should include at a minimum: the program manager, the chief engineer or technical lead, contracts, program controls, program planning, other relevant subject matter experts for the program
How much money will you include in your program budget for risk management?
This can be a separate WBS number, be part or your program management WBS number, and/or in your management reserve
5. RIO Identification
When will RIOs be identified on the program?
What techniques will be used to identify RIOs?
Where will these RIOs be documented?
Who approves RIOs to be added to the RIO register?
6. RIO Analysis
How will you qualitatively and quantitatively analyze and rank your risks?
What are the parameters for your probability and impact ratings?
7. RIO Responses
What are the different types of responses for your risks, issues and opportunities?
What are the selection criteria for each type of response?
How are responses planned?
Where are RIO responses documented?
8. RIO Monitoring
How will you monitor your risks and risk responses?
When and how will you ensure that new RIOs are captured?
Where is risk monitoring documented?
Will you have a risk review board (RRB) and if so at what frequency?
Appendix A: Risk Management Risk Management Meetings, Deliverables and Schedule
If you have RIO related deliverable as part of your subcontract data requirements list (SDRL) or contract data requirements list (CDRLS) you can list them here
If you don’t have a contractual requirement, you can still list how often you will update your risk register, have your risk review board etc.…
Note: I strongly recommend that your organization has standardized RIO management processes and templates. This will make your program managers lives much easier when they have to write their RIOMPs and ensure that you are comparing apples to apples across your programs.
